-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.prod.yml
More file actions
182 lines (166 loc) · 8.2 KB
/
docker-compose.prod.yml
File metadata and controls
182 lines (166 loc) · 8.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# Production override for docker-compose.yml
# Usage: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
#
# This file enforces production security settings:
# - TLS/SSL for all database and Redis connections
# - Vault integration for secrets management
# - Non-default ports for security through obscurity
# - Resource limits
# - Security context for containers
version: '3.9'
services:
# PostgreSQL - Enforce TLS
postgres:
environment:
# Require SSL connections in production
POSTGRES_HOST_AUTH_METHOD: scram-sha-256
POSTGRES_INITDB_ARGS: --auth-host=scram-sha-256 --auth-local=scram-sha-256
command: >
postgres
-c ssl=on
-c ssl_cert_file=/var/lib/postgresql/server.crt
-c ssl_key_file=/var/lib/postgresql/server.key
-c ssl_ca_file=/var/lib/postgresql/root.crt
-c password_encryption=scram-sha-256
-c log_connections=on
-c log_disconnections=on
volumes:
# Mount TLS certificates (must be provided separately)
- ./certs/postgres/server.crt:/var/lib/postgresql/server.crt:ro
- ./certs/postgres/server.key:/var/lib/postgresql/server.key:ro
- ./certs/postgres/root.crt:/var/lib/postgresql/root.crt:ro
# Redis - Enforce TLS and authentication
redis:
command: >
redis-server
--appendonly yes
--maxmemory 512mb
--maxmemory-policy allkeys-lru
--requirepass ${REDIS_PASSWORD:?REDIS_PASSWORD environment variable is required}
--tls-port 6380
--port 0
--tls-cert-file /tls/redis.crt
--tls-key-file /tls/redis.key
--tls-ca-cert-file /tls/ca.crt
--tls-auth-clients no
ports:
- "6380:6380" # TLS port instead of 6379
volumes:
# Mount TLS certificates (must be provided separately)
- ./certs/redis/redis.crt:/tls/redis.crt:ro
- ./certs/redis/redis.key:/tls/redis.key:ro
- ./certs/redis/ca.crt:/tls/ca.crt:ro
# Migrate - Use TLS connection
migrate:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/root.crt
volumes:
- ./certs/postgres/root.crt:/certs/root.crt:ro
# Orchestrator - TLS connections and Vault
orchestrator:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
# Vault configuration
VAULT_ENABLED: "true"
VAULT_ADDR: ${VAULT_ADDR:?VAULT_ADDR environment variable is required}
VAULT_TOKEN: ${VAULT_TOKEN:-}
VAULT_AUTH_METHOD: ${VAULT_AUTH_METHOD:-kubernetes}
VAULT_MOUNT_PATH: ${VAULT_MOUNT_PATH:-secret}
VAULT_SECRET_PATH: ${VAULT_SECRET_PATH:-cryptofunk/production}
# Environment
CRYPTOFUNK_APP_ENVIRONMENT: production
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# MCP Server: Market Data - TLS connections
market-data-server:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# MCP Server: Technical Indicators - TLS connections
technical-indicators-server:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# MCP Server: Risk Analyzer - TLS connections
risk-analyzer-server:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# MCP Server: Order Executor - TLS connections
order-executor-server:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# Trading Agent: Technical Analysis - TLS connections
technical-agent:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# Trading Agent: Order Book Analysis - TLS connections
orderbook-agent:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# Trading Agent: Sentiment Analysis - TLS connections
sentiment-agent:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# Trading Agent: Trend Following - TLS connections
trend-agent:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# Trading Agent: Mean Reversion - TLS connections
reversion-agent:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# Trading Agent: Risk Management - TLS connections
risk-agent:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro
# REST/WebSocket API Server - TLS connections
api:
environment:
DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/cryptofunk?sslmode=require&sslrootcert=/certs/postgres-ca.crt
REDIS_URL: rediss://:${REDIS_PASSWORD}@redis:6380?tls_insecure_skip_verify=false&tls_ca_cert=/certs/redis-ca.crt
# Enforce production settings
CORS_ORIGINS: ${CORS_ORIGINS:-https://cryptofunk.example.com}
CRYPTOFUNK_APP_ENVIRONMENT: production
volumes:
- ./certs/postgres/ca.crt:/certs/postgres-ca.crt:ro
- ./certs/redis/ca.crt:/certs/redis-ca.crt:ro